Fortinet, Cisco, SonicWall, Pulse Secure, and Citrix.

About the Flaw

According to the FBI flash alert [PDF], the flaw allowed APT group(s) to access an unrestricted file upload function and drop a web shell to gain root access and perform further exploitation. They could gain elevated privileges and carry out follow-on activities. 

“Exploitation of this vulnerability then served as a jumping-off point into other infrastructure for the APT actors,” FBI’s advisory noted.

Further, the agency shared that the attacker leveraged the web shell to encourage lateral movement and targeted additional U.S. infrastructure using a malicious SSH service, obtaining an initial foothold into vulnerable networks and maintaining persistence for long. 

The flaw impacted all FatPipe WARP, MPVPN, and IPVPN device software before the latest versions, 10.1.2r60p93 and 10.2.2r44p1. 

FatPipe Advisory

FatPipe released a separate security advisory titled FPSA001: Remote Privilege Escalation, confirming the vulnerability. The company noted that the flaw was detected in the “web management interface of FatPipe software, and it would let a remote attacker upload a file anywhere on the impacted device’s filesystem.

The company also revealed the actual cause behind the vulnerability, noting that it was due to a lack of input and validation verification mechanisms for some HTTP requests.

“An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device.”

Upgrade NOW!

The FBI has warned organizations and users of FatPipe VPN software that exploitation activity could be difficult to detect since cleanup scripts designed to remove traces of the threat actors’ activity were identified in a majority of the cases.

SEE: NSA, CISA Release Guidelines to Secure VPNs

Organizations that discover any such activity related to network compromise must take immediate action. FatPipe released a patch on 16 November 2021. The patch fixes the vulnerability, and it is urged that all users must quickly upgrade their software.

“FBI strongly urges system administrators to upgrade their devices immediately and to follow other FatPipe security recommendations such as disabling UI and SSH access from the WAN interface (externally facing) when not actively using it,” the FBI stated. 

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Posted by Charlie